Introduction
Worldline Sips is a secure multi-channel e-commerce payment solution that complies with the PCI DSS standard. It allows you to accept and manage payment transactions by taking into account business rules related to your activity (payment on despatch, deferred payment, recurring payment, payment in instalments, etc.).
The purpose of this document is to describe the anti-carding system provided by Worldline Sips.
Who does this document target?
This document is intended for merchants using the anti-carding system.
To get an overview of the Worldline Sips solution, we advise you to consult the following documents:
- Functional presentation
- Functionality set-up guide
Contacting the support
For any technical question or request for assistance, our services are available:
- by telephone at: +33 (0) 811 10 70 33
- by e-mail: sips@worldline.com
In order to facilitate the processing of your requests, please provide your merchantId (15-digit number).
Overview
Carding is a fraudulent method of mass verification of the validity of card numbers that have been stolen or generated. Online payment platforms are the main targets of carders because they enable the generation of a large number of transactions on the card numbers to be checked. These are small-amount transactions so as not to raise suspicions. Protecting the system against carding attacks is therefore one of the priorities of web merchants
The Worldline Sips anti-carding system consists in:
- detecting the carding attack
- alerting you and protecting your payment system in case of an attack
- helping your site to separate normal transactions from carded transactions
- and restoring normal activity
Functional description
Carding detection
Detection criteria
Webshops have the "Anti-carding system" fonctionnality to activate anti-carding surveillance.
This surveillance consists in carrying out the following verifications for every transaction in the webshop:
- Surveillance of the percentage of declined transactions per rolling hour: if the proportion of declined transactions in relation to the total number of transactions exceeds the authorised threshold in a rolling hour, this suggests that card numbers are being verified fraudulently and the webshop is considered to have been carded. This verification is thus carried out systematically for each transaction and cannot be deactivated. However, the threshold (critical proportion of failures) that triggers the alert can be configured.
- Surveillance of the percentage of small-amount transactions: if the proportion of small-amount transactions in relation to the total number of transactions made exceeds the authorised threshold in a rolling hour, the webshop is considered to have been carded.
In order to avoid false positives, these two verifications are only triggered after a minimum volume of transactions have been carried out in a day.
For more details, we invite you to contact your WL Sips contact.
Eligible interfaces
The anti-carding surveillance works on:
- Sips Paypage
- Sips Walletpage
- Sips Office cardOrder service
- Sips Office cardValidateAuthenticationAndOrder service
Surveillance is not trigerred in the following cases:
- transactions with successful 3-D Secure verification (SUCCESS and ATTEMPT statuses)
- OneClick transactions
- token transactions
- non-card transactions
- transactions created through the duplicate and recycle operation
Anti-carding defence and alert
Defence system triggering
The defence system is triggered automatically as soon as the surveillance detects a carding attack on a webshop. It consists in:
- Carrying out strict anti-fraud checks to reduce the chance of
accepting fraudulent transactions generated by carding. The strict
checks include:
- Checking that the card country matches your country. All transactions with a card where the country is different from yours are declined.
- Checking that the country of the customer's IP address matches your country. All transactions from an IP address where the country is different from yours are declined.
- Blocking the sending of the automatic evening remittance to give you time to identify fraudulent transactions so as not to debit the cards that have been carded. This involves all webshop transactions of the day.
Alert sending
When the defence system is triggered, alert e-mails are sent to the distributor's contacts and to the Worldline Sips customer service in order to prevent a carding attack from happening. It is the distributor's responsibility to warn you.
The list of contacts can be configured at the distributor's level.
The alert e-mail contains:
- the name of the webshop involved
- the defence system trigger time
- the reason for the alert being triggered
- the checks triggered for defence
- etc.
A sample alert e-mail is available as an appendix.
Evaluation, securing and purge
Evaluation
When an alert occurs, it is important to respond quickly to know if it is a real attack or a false alarm.
To do this, the Worldline Sips transactions must be compared with the transactions in your order-taking system. The false transactions generated by carding are not presented in your order-taking system. Worldline Sips transactions are searchable via Sips Office Extranet and Merchant Extranet.
If there is a corresponding order for all Worldline Sips transactions, then this is a false alert. You should then move on directly to the 'Restoring normal activity' stage.
If needed, the distributor can contact the Worldline Sips customer service.
Securing
In the event of a real attack, it is important that you quickly carry out securing measures to protect your site. Depending on the type of attack, these measures may consist in:
- changing the certificate or the secret key
- changing or editing the fraud rules
- editing/updating the website
- etc.
Purge
Following the securing of the site, you must purge your operations
There are three types of unusual transactions:
- False transactions generated by carding and unduly accepted by Worldline Sips. These transactions are present and accepted in the Worldline Sips system, but are not present in your order-taking system. You must cancel (or you must not validate, depending on the transaction capture mode) these transactions via Sips Office Extranet, Merchant Extranet or the operations via web service. You can also communicate with the Worldline Sips customer service and request manual intervention in the event of a significant volume.
- False transactions generated by carding and refused by Worldline Sips. These transactions are present and refused by the Worldline Sips system, but are not present in your order-taking system. There is no need for specific processing on these transactions, they are stored in the database for future analysis.
- Real transactions refused by Worldline Sips, due to strict checks triggered following the detection of carding. There is currently no specific processing for these transactions.
Restoring normal activity
Restoring normal activity consists in:
- changing the webshop status from "carded" to "normal"
- deactivating the strict defence checks
- unblocking remittance if it has been blocked
Please contact your Worldline Sips customer service to restore the activity.
Following the change in the webshop status, standard surveillance is restarted.
Some events such as sales or knock-down price operations can cause webshops to experience a large number of small-amount transactions. In this case, these legitimate transactions may be interpreted as a carding attempt. It is therefore necessary to temporarily deactivate the anti-carding protection during the event period. If you would like to do so, you must request it from customer support before the promotion starts.
Configuring the anti-carding
Configuring the anti-carding is divided into three parts:
- general configuration
- detection profile
- blocking the remittance
General configuration
The distributor must provide the name, the e-mail address and the telephone number of a contact person for the distributor. This contact person will be notified in the event of an alert.
Detection profile
For the checking of declined transactions, the distributor must provide:
- the number of transactions above which the system starts to check the refusal rate. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
- and the percentage of declined transactions (authorisation failed) triggering the alert. If the threshold is reached, the alert and the carding defence are triggered.
If the distributor wants to check small-amount transactions (this check is optional), they must provide:
- the number of transactions above which the system starts to check the rate of small-amount transactions. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
- the small-amount threshold. Transactions where the value is less than or equal to this threshold are considered small-amount transactions
- and the percentage of small-amount transactions triggering the alert. If this threshold is reached, the alert and the carding defence are triggered.
Blocking the remittance
The distributor must indicate whether they want to block the sending of the remittance in case some carding was detected.